/cyber/ - Cyberpunk & Science Fiction

>>42509

> do you guys do to protect your smartphones? Is ubuntu phone any good or there aren't enough apps to make it viable as a smartphone?

I protect by installing a custom rom on it + remove camera / front camera and microphone.

>>42516

They keep track of your location anyway though, that was proved last year.

>>42520

>>>/cyber/42338

>>42520

>>>/cyber/42338

this for sure.

>>42523

whoops, and it doesn't let me delete. 8ch.net is so busted. when will they fix it?

>>42509

>>>/cyber/42339

and this

>>34026

>and Chrome's a botnet

You're using MacOS 10 and Safari.

>>33931

Government is a type of corporation, ya dip.

>>42524

Hadn't seen it from that particular perspective.

But yeah, smartphones are blackbox devices.

For starters, the smartphone was a mistake, and it's a terrible idea to use a smartphone at all. Period.

There is absolutely no need for a smartphone, whoever thinks otherwise is a tool of Da System™.

That said, even normal cell phones are tracking deviced by their very own nature, and you can't be sure that they don't have some sort of backdoor either.

If you have an Intel chip, your PC was compromised out the box. Sorry chummers.

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

I do the basics: VM's, GNU/Linux, Tor, I2P, ZeroNet, VPN, no google, custom android rom no gapps, etc..

>>38911

you can only get in trouble for exits. Ran a guard for 3 years off a Raspberry Pi, since all Tor traffic has to pass through at least 3 or 5 nodes only the exit node is unencrypted. In the US at least you can't get into trouble for allowing random encrypted traffic on your network (yet)

>>42452

>how to make bombs

yes if you google that you're a moron and deserve to be redflagged

I'm posting in this thread using Tor for starters.

I also ditched Facebook, and mostly keep in touch with friends via Signal.

And cash, glorious cash. I spend it.

Tor, VPN, no SNSs (facebook, google etc), brouzouf purchases, no chat clients, gpg with email, no mobile phone contract, stuff.

>>46991

impressed with that level of privacy, I don't think I could ever get to that level

I just live a very simplified life.

>>47004

It's not as hard as it sounds (even if you aren't a friendless NEET). Facebook is too uncool to use anyways, and google is easily replaced with Startpage with almost no sacrifice to convenience. You get used to paying for everything with cash, and it helps you keep track of your spending. Burner refillable phones are extremely cheap and usually less costly in the long run than contracts.

One of the more effective things you can do is to simply never make accounts for anything you don't need to, and to use new burner emails and usernames for each account you have to make.

>>47010

Did you know that even if you don't have a Facebook account, they're profiling you anyway ? (Same shit with google, tweeter etc…)

See those share/tweet buttons on every webpage ? Consider those as websites. This way, they log your IP/time/localization without having an account.

The only way is to redirect every domains to your machine with your host file.

Guys, it's pointless sometime.

>>47072

Isn't that what umatrix/noscript/request policy is for?

>>47072

>The only way is to redirect every domains to your machine with your host file.

or use tor or proxy

>>33923

That sounds like a bios problem. Check if it boots under legacy or UEFI.

Surprisingly, UEFI seems to work much better than legacy.

Then try it again under either Arch Linux (you don't have to keep arch, though). Arch generally supports everything, so compatibility won't be an issue.

>>47077

That doesn't always work anymore since we use DNS. If you block it through DNS, though, then you won't have issues.

>>39178

Kerckhoffs's principle isn't the same as "don't invent your own ciphers". Of course one shouldn't invent or implement ciphers (but use existing cryptographic libraries like libsodium or something else. See https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries)

Kerckhoffs's principle is general advice for transparency and moreover, advice that the method of encryption shouldn't be secret in itself. That's why encryption algorithms are keyed, similar to how locks are keyed. Lock is secure although everyone knows the principle behind the lock. Kerckhoffs's principle states "don't assume security because nobody's going to drill one lock to see how it works, and find the weakness".

>>50952

To further expand on this point, no one ever said 'Don't create your own encryption', they said 'Don't count on your home brewed encryption.'

If you want to create a cipher, and you really think you've got something special, then release the source for analysis.

If you think you whipped up a cipher on your own in your basement that the letter agencies won't cut like a hot knife through butter, you're almost certainly, laughably, wrong.

That doesn't mean don't do it, just don't use it anywhere.

If you're so paranoid that you honestly think every available encryption alg has a backdoor or is already broken, by all means do a second layer of your own special sauce. Maybe use someone else's reference implementation of one of the slower algs that was never chosen for mass use.

Don't let the fact that a good encryption alg needs to be reviewed by peers stop you from trying your own implementations.

That's how, eventually, we end up with devs who are implementing and auditing new algs. You gotta cut your teeth on something.

Just, for the love of god, know they're toy implementations and treat them as such.

>>50953

I fully agree one should release the source always. However, if one expects a peer review, the road to the top is of the rockiest out there: https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign

Related to the Dunning-Kruger effect and over-confidence your reply touched, this top answer is fantastic:

https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

>That doesn't mean don't do it, just don't use it anywhere.

Fully agree. Always attach a warning sign "WARNING! This is a toy cipher intended for the purpose of learning about cryptography! Do not use it for anything serious!"

With that banner, feel free to play with crypto all you want. No expert or expert novice is going to bother blaming you for snake oil salesmanship.

>Maybe use someone else's reference implementation of one of the slower algs that was never chosen for mass use.

It's harder to verify 3rd party implementation of e.g. Serpent – deemed more secure but slower than AES – is 1) correct b) side-channel free.

Personally I'd only use vetted ciphers. But caveat emptor, there's room for healthy amount of skepticism towards NIST after DUAL_EC_DRBG. https://safecurves.cr.yp.to/ lists NIST's P-curves insecure.

>>34080

can you do this and have irl friends?

>>50966

friends are a threat to your privacy beware

>>50966

No, and he's also on a list for being 'abnormal'.

I use stuff the way you'd normally use stuff, unencrypted email, pics of my wife and kid on facebook, ect … then I have a separate laptop for doing other things.

That way there's no black hole in my social profile, I just don't stick out at all.

>>50978

You can pretend that being a filthy disgusting normalfag somehow is a good thing, because you've just got a really sick cover, but in actuality you're just a filthy disgusting normalfag.

>>51028

> you're just a filthy disgusting normalfag.

What's sad is you pretending you're special. I said there's value in making a conscious decision about what to share, and sharing enough that you don't stick out, but I'm getting the vibe that you're an autist who shares pedo porn and gun picks on Tor, thinking that makes you super cool, and it's everyone else that's wrong. Meanwhile, the letter agencies have had you on a list for years, not because you're special, but because you're socially retarded, and don't know any better.

It's not about leaving NO footprint and vanishing completely.

It's about leaving enough of a (non-compromising) footprint that nobody will raise an eyebrow.

Living two lives looks much more dangerous to governments than living in privacy. Which one sounds like a newsworthy article: "A hermit was found living without social media" or "Man was found living two lives". One of those scares us more because that could be anyone around us. That's what's currently driving the domestic spying programs: The enemy within.

The government can see you making changes, and they will observe the amount of changes you make to your life to determine how much you desire privacy. Take two cases

A: "the guy downloaded Tor browser, he must be a criminal"

B: "the guy downloaded dozens of add-ons and tweaked hundreds of settings in their browser and the add-ons, and actively manages their cookies, headers, VPN etc., he must be a criminal" (some of the good posters in this thread)

In these cases, just using Tor browser does not make you hundred times bigger threat because it's hundred times more effective than all the other measures of case B combined. Had the person set up another Tor-like, global anonymity network themselves, injected proxy clients to devices of thousands of innocent users just to bounce their traffic, that would look (and probably be) hundred times more dangerous than case B, which to government actually looks A LOT more dangerous and dedicated than case A.

Why is Tor browser more secure then? It's because it's the result of more than a decade of work towards anonymity and privacy by privacy activists, hackers and security experts. That effort is not the fault of the users however. They just download the client and be done with it. Perhaps they might tweak the single privacy setting slider prompted by the browser during initial start. Not only is that hundred times more effective, it's hundred times less effort. Again, because it's less effort, it looks less dedicated and so, less dangerous.

Why is it more effective then?

Whenever you browse the internet you assume the server and the ad-displaying backend is trying to deanonymize you. They do this with a massive, never-ending game of "Guess Who" where they tie information about the user across sessions with cookies, and run all sorts of analytics systems about user behavior and compare them to databases about users, sold from business to business (that type of trading is invisible to end users).

If you make yourself anonymous, it means that session is not tieable to any other sessions, even if your AT&T works together with the destination server, and when the network of analytics companies connected to destination server work together. It's not just what information you make available, it's the metadata about how much information you leave. In case B you might have succeeded so well you display totally different data every time you connect. But you also caused the browser to leave about 11 bits of random identifying information, and everyone else has 2..1000 times as much. So they can link your sessions together with reasonable reliability. All it takes is one mistake. You publish something that's identifiable, say your password manager auto-typed the wrong password the company logs, and that random password is leaked from another company's plaintext database along with your first.last@name.com email. All those sessions are now tied to you, and while they won't show you ads based on that, all that analytical data can now be sold to a company that has backroom dealings with the government interested in users with small digital footprint.

With Tor, every browser looks exactly the same as long as you don't go tweaking it. Imagine playing Guess Who where you have 50 identical Tor logos on your side of the board. There is only one question to ask: "Does your person look like a Tor user?" In such situations there is no risk of retrospective deanonymization either. Every action could have done by any of the more than 2 million daily Tor users.

Tor is not enough however: The site tries to deanonymize you by observing what you read from the site, and by what you post to the site (searches, writings). By disabling javascript in Tor browser, you can prevent the web site from dynamically analyzing what you do, where your mouse is etc. Then it's up to the content. Do not post too much information in one go, always reset the Tor browser session between posts and when changing domain. Never click links. Always right click and copy-paste address to hide referrer information from next site. If the link on clipboard has referrer information, delete it manually or try to find the destination with search engine based on e.g. headline next to original link. Alter your writing style when possible. Sometimes even argue with yourself in subsequent replies or call yourself a newfag.

>>51032

>It's about leaving enough of a (non-compromising) footprint that nobody will raise an eyebrow.

That's actually a considerable amount of work compared to the former of just dropping off completely, which is a shame.

Surprised nobody has developed a piece of software that continually floods your network with mundane traffic, like watching all the "Trending" videos on Youtube, and reading the most popular Buzzfeed/Guardian fluff pieces.

>>51478

I will guarantee you the second someone comes up with it the government will just adjust their algorithms. The only place I see this spreading is some site like hackbb but they nuked it and I haven't found a replacement.

>Surprised nobody has developed a piece of software that continually floods your network with mundane traffic, like watching all the "Trending" videos on Youtube, and reading the most popular Buzzfeed/Guardian fluff pieces.

it's been done years ago fellow anon

https://www.nyu.edu/projects/nissenbaum/papers/HoweNissTMN.2.8d.pdf

>>33903

A Huge oversight on these boards is that a technical security program isn't good enough to protect your privacy. Because your privacy is being violated constantly offline by every commercial interaction , and even as you walk around retail stores.

Check out The Complete Privacy Security and OSINT show by MB . He details an offline privacy program including privacy.com credit cards, faraday bags, CMRAs, mysudo , blur, 33mail to help remove identifiers from your life and protect your privacy.

>>33903

>what are YOU doing to stop intruders from spying on your everyday life?

1. use internet services as little as possible, eg no social media

2. when i do use internet services, i use ones that (claim) to not store data, eg google -> duckduckgo

3. when i use internet services i obfuscate the data i give them, eg use tor to obfuscate data going to ISP

>>33903

>>57465

You're know Searx exist, right?

https://searx.space/#

Meta-searx such this one, even replace links with official .onion mirrors of sites:

http://searxes.wodferndripvpe6ib4uz4rtngrnzichnirgn7t5x64gxcyroopbhsuqd.onion/

I would argue against what some of you lads have said regarding Social Media. Part of internet security is creating a smoke screen which indicates to any observers a normal pattern of behaviour. Create the most normal looking social media. Craft it so that people only know what you want them to know. It's the same with browsing and proxies.

>>33932

running a relay node is safe. Running an exit node needs a legal team.

>>57961

>https://cypherpunklabs.com/

Cypherpunks Labs will host an exit relay for you for $10 / mo.

Only use open, decentralized protocols for communication, with support for end-to-end encryption. Encrypt your drives. Get a security key. Secure your home network.

Good opsec, while still participating in "normal" life, is more or less impossible. No amount of leenucks or phone ricing will change the cameras on the streets or the smartcard you use to get into your apartment.

>>58337

Can you give me some tips for OPSEC and PERSEC?

>>58343

https://sizeof.cat/links/

Some links