/cyber/ - Cyberpunk & Science Fiction

>>35428

Do note that I was referring to digital attack vectors and was trying to make the point that even if you have a theoretically perfect digital setup with a perfect encryption scheme and perfectly isolated computing systems you are still vulnerable to physical attacks, some of which are absolutely unbelievable to someone who has never heard of things like Van Eck phreaking. I know the first time I ever heard about these attacks I just wanted to throw every electrical device I owned in the trash and go innawoods. To think that even if you use a one-time-pad and digital diodes to prevent attackers from being able to exfiltrate data you can still be exploited by the FBI van across the street listening to the fucking electromagnetic radiation of your house…

The link for the air-gap vulnerabilities wasn't intended to be an exact list of potential weaknesses but more to show ways that this system can be broken if you don't know of these attacks. It's not like you're going to be using a smartphone to send TFC-OTP chat messages. And like I mentioned before, new attacks are being discovered every day, you can hardly defend yourself against attacks you've never heard of.

I'm sure if someone had the resources to setup an implementation of TFC-OTP properly they would use appropriate measures to protect against all of those physical attacks as is outlined in the whitepaper and more. [faraday cage, soundproof room with no windows, physical locks on doors, proper OPSEC when it came to defending your house, using an off-grid power supply for all devices behind data-diodes, etc] But all of that is well beyond anybody that isn't proud to wear their tinfoil hat. The best thing to do is to educate yourself, learn just what's going on under the hood, understand why you shouldn't use short passwords, why you should use encryption, why you should use GNU/linux or BSD, how hackers might be able to attack you and what you can do to prevent that from happening and so forth.

>>35460

>you can still be exploited by the FBI van across the street listening to the fucking electromagnetic radiation of your house.

If you trust the RxM hasn't been exploited in a way it shows different ciphertext, you could edit the software to do OTP say, mod 26.

You could then do OTP by hand provided that you have a way to tamper-evidently store the pad and a way to detstroy messages and pad. This approach is TEMPEST proof.

>wasn't intended to be an exact list of potential weaknesses–

Naturally. TFC addresses many known unknowns and possibly even some unknown unknowns – not all; Users need to create an informed threat model.

I don't think you should be choosing between whether you use TFC with every additional layer or whether you don't use the tool at all. Choose between the ways you're going to secure the physical environment. Tails is a great way to anonymize your identity and physical location, it doesn't necessarily protect your endpoint from compromise. TFC does that. If you're using

TFC through Tails, you just might be able to hide your physical location, so the combination it's all you need. Most of XMPP-servers are reached via exit nodes, yet some operate as hidden services; You should use them. I'm looking into integrating NH.py features with Ricochet that uses more decentralized approach inside Tor network. The developer seems to be busy with his work atm.

The most important thing is to ensure the separation of TxM and RxM. If you use netbooks as TxM and RxM, you already have battery operated devices, so there's very little to do apart from removing the sensors etc.

Secure communication isn't just about principle and basic human rights, many people depend on these tools with their lives. It would also appear mass surveillance is expanding to bulk CNE, where anyone's computer can be exploited in the future. TFC remains for now, the only tool that keeps you safe from this modern panopticon.

Can someone explain to me what's wrong with uBlock Origin? I see people complain everywhere but no one tells me why it's actually bad.

>>35533

There is a line between "using free software to stay safe", and "being a filthy hipster who just HAS to be different". The people claiming that uBO is bad crossed that line long ago, and now that it's becoming FOTM, are spreading disinfo simply because it makes them more hip in their own eyes, and purist in the eyes of other freetards. So people swallow it without a second thought.

>>35537

So there's nothing wrong with it and its the work of a handful of lone trolls. Makes since considering the posting patterns (seems like there are only one or two shazbots repeating the same shit baselessly).

>>35455

https://panopticlick.eff.org/

>Currently, we estimate that your browser has a fingerprint that conveys . bits of identifying information.

only useful if those bits of information are in anyway actually correct.

>>35533

>doesn't read the OP

>acts like a dumbass

>>35537

>>35542

>>35533

hello shills

https://media.8ch.net/cyber/src/1445341808336.png

>>35655

I read the OP, pic in the OP and link in the OP. Discussion is becoming ridicilous right now, because no one answered what is wrong with ublock.

Rephrasing for autists:

– What is wrong with ublock?

– Don't you know? Its shills. Shills!!!

Please don't answer anymore, prevent yourself from zashquaring even more

>>35658

you can leave now, shill.

>>35655

>>35649

Given your fervor in pushing people away from what appears to be a good ad blocker, it makes me wonder if you might be the shill here.

>>35662

so you didn't read the OP

>>35665

>didn't even read the OP intensifies

>keeps saying they don't trust OP

>OP points them to the guide they stupidly refuse to read

>they keep not reading the guide and complaining

GET OUT

>>35666

NO U

>>35663

>>35666

I did, and the OP guide says nothing about why it's bad, only that you should use an adblock fork with worse performance that's not being updated anymore.

Fuck off back to doubleclick or wherever you came from, shill.

pretty good list of addons, i don't know/need all of them though.

ad blockers are entirely useless imho.

evil ads are blocked through refcontrol/noscript already and if there are any tracking methods left then Disconnect (which is missing on the list) should take care of that, or is there reason to distrust that too?

>>35864

Fuck off shazbot

>>35722

I believe Disconnect is just a more botnetty RequestPolicy

>>35866

why are you disagreeing with me, and then going on to say disconnect sucks? I'm on your side aren't I? OP mentions how bad disconnect is.

Modified hosts lists save you a lot of hassle.

For everything else (i.e. youtube ads and the ilk) Really, any adblock extension should do the work, but go with something you can view the sourcecode of if you're actually paranoid.

>>35041

well OP, I installed literally everything in that list and broke my icecat so it just crashes every time I open it

10/10

>>35943

Setting up hosts list is a pain though.

And my PC's keep breaking ~once a year, so I just can't be bothered even to install an ad blocking plugin anymore.

So is hating uBlock Origin just some ebin meme or is there actually something wrong with it?

>inb4 shill

>>41903

All I found is that current uBlock maintainer is a twat.

Nothing on uBlock Origin, though. Guess it gets flak just by association.

>Tfw you don't know shit about this

It's depressing, in order to understand this i should be studying a shitton of computer theory.

I'm already doing it, but it feels really bad knowing that you must learn all this shit just to enjoy privacy.

I hate that i chose chemical engineering as a major, if i had chosen CS or some engineering related to pcs i could understand this better.

>>41908

Nothing's stopping you from learning. Computers are more complicated than just learning CS. I'm bad at networking and penetration testing just because I prefer to write code and work on FOSS and personal projects. Just because you want to be smart and actually be safe doesn't mean you have to go full blown autist.

>>41910

By the way, i have started learning C some months ago, and assembly. I've been reading on networking too.

My idea is to be able to REALLY understand what's going on on my pc. Because i feel like blindly following guides on the Internet could fuck my shit up too, even if i trust the chans a bit more that the propaganda bloated mainstream.

Do you think i'm wasting my time?

>>41949

Not in my mind, but I'm biased towards encouraging people to learn about computers and shit.

bump

Any copperheadOS users here?

>V.2

Where is version V.1?

>>49603

In the hell of outdated guides.

Something up to date would be:

uBlock Origin

Pretty much no competition here, although Pale Moon has some unique options and some browsers have their own implementation (See Brave, Qupzilla, etc).

Https-Everywhere

Pointless these days since now most of the web is https, and those that aren't just don't have the capabilities implemented. Thus you'd be giving a certain entity a log of every site you visit just to get a few more sites with partially implemented https working for your browser.

Classic Theme Restorer

Is mostly a question of preference on Firefox Forks.

uMatrix

Recommended versus NoScript, since the latter has fallen behind in development and catching up with new features. +Request Policy is dead.

Plenty of good cookie destruction options out there. Pick your favorite, but get ONE.

TrackMeNot is a meme, just get an Agent Spoofer.

>>35147

Can you show where or how IP6 was designed to be more secure? IP6 borked expertise on IPv4 that existed, people misconfigure stack, and are unaware a stack is even operating and don't firewall ip6. IP6 doesn't feature any additional auth or condfidentiality features. Its not more reliable than 4. (Thats CIA triad right there). IP6 is based on the idea of not having have nat, and connecting each host directly to internet which requires better host security.

There are enhancements to IP through IPSEC that have authentication (AH), or encryption features. IP6 isn't magic, and requires additional expertise to be used securely.

>>43240

Yes. Disappointed with it tho.

>>>/poltech/

They need this as well

>>35041

This issue with threads like these is that they always get the base-line fine, but only rarely do they ever rise above it much at all. Like yes, 101, install Ublock and noScript or whatever.

I wish there were more of these related to a higher level discussion and with a much higher level of actual advice for facing off against high level threat actors.

I want to know how to manually disable kernel modules to stop firewire attacks, not how to install browser addons.

>>50760

Agreed. We have a shitload of guides/infographics for the basic stuff.

How about some advanced shit? Hardening a personal Unix, encrypting your disk in the first place, stripping your kernel of shit you don't need and potential security holes?

How about some information on what you can't changed but should know about (IME & Co.), as well as limits on personal hardening imposed by laws?

Basic stuff is probably the only stuff that will fit in a simple infographic.

Someone would have to put effort into a guide which only ~5 people will ever use.

Basic stuff requires less effort and more people will use it.

I still agree though; a catalog of basic/advanced infographics and guides would be nice.

>>50767

>>50772

Simplified guide books would work

>>50772

>>50868

Well, let's get to it. Someone could create a repository on Bitbucket/Github (have the man host the guides to evade the man) and we could just add the stuff as markup files.

This board's usually all bickering and no doing, wanna change that?

>>50869

get in and start the school bus #school:matrix.ordoevangelistarum.com

>>50868

I'd consider making a bunch of pdfs if /cyber/ made a list of useful things to know.

>>50998

I don't have materials for you but I know what's important so you can start looking:

-Explain the implications of Snowden documents. Collect good articles published by The Intercept for example. Wikipedia has good summaries too "Global Surveillance Disclosures (2013-)".

-Explain what free and open source software is. Explain how it's better than open source (because it emphasizes responsibility of developer and freedom of user over freedom of developer to do whatever they want). Maybe put the context of freedom in "ethics vs anarchy". Explain how it's easier to verify what the software is actually doing.

-Explain how proprietary operating systems can not be verified and thus can not be trusted. Explain how it's especially the case with Windows, that's a service (making brouzouf by spying on its users like Facebook). Explain why Linux, BSD and last but not least, OSX are superior choices over Windows.

-Make guide for Full Disk Encryption with different operating systems.

-Explain why SSL is not proper encryption in situations where server is not the destination, but ill-advicedly trusted middle-point between user and their contact who are exchanging information. Explain how end-to-end encryption protects user from server.

-Make guide for end-to-end encrypted messaging with good communication apps like Signal and Wire (and not apps like Tox written by amateurs, not proprietary apps like iMessage, Wickr and Threema, and definitely not incomplete apps like Telegram or Riot/Matrix with E2EE disabled by default).

-Explain difference between content and metadata. Explain importance of metadata in surveillance. Watch e.g. http://agoodamerican.org/ to get a good grasp on the topic. Explain implications of Signal not protecting your metadata.

-Explain why native clients are more secure than JS downloaded over every session using just SSL.

-Explain why PGP in 2018 is a bad choice. Explain what are forward secrecy and deniability and why they are needed.

-Explain why VPNs are nothing but glorified proxies, useful only against local hackers in e.g. airports, doing things like ARP/DNS poisoning or SSL-stripping or HTTP eavesdropping. Explain how Tor is anonymity through technology, and VPN is "anonymity" through VPN provider's policy. Explain the legal implications of that. Explain that MPAA is different threat model than government looking for dissidents. Explain that while MPAA maybe can't walk over jurisdictions and while VPN protects people downloading torrents from them, NSAs of this world do not play by the same rules. To them VPN is not even a challenge. Tor however is. Back this up with NSA's Tor Sticks slides.

-Show how much tracking takes place with Firefox Lightbeam by Mozilla.

-Show how difficult it is to make normal browser blend in (i.e. appear non-unique) with https://panopticlick.eff.org and show how Tor browser succeeds in that. Explain why that's important.

-Make guide for anonymous browsing with Tor. Check Tor's FAQ for risks involved with anonymous browsing. Make sure to include those.

-Explain Tor hidden services and their implications regarding server's non-existent IP logs.

-Explain importance of whistle-blowing sites like https://securedrop.org/ for healthy democracy and how Tor helps in that context.

-Make guide for anonymous (metadata-free) chats with Ricochet.

-Make guide for anonymous file sharing with OnionShare.

-Explain Man-In-The-Middle attacks and importance of public key fingerprints in messaging apps. Explain why authenticity of OnionShare or hidden service URL, RicochetID and Signal fingerprint are so important.

-Link to good resources like https://ssd.eff.org/

>>50772

If you can't make your buddy use super secure messaging apps then they are a bottleneck in your overall security. But even if they use insecure comms apps, a good hardened OS is always better than a Windows with its telemetry features.

I think people here should look into Qubes-OS if they want more security before looking into stripping modules from their Kernel.

>>51004

You guys mistake 'friend' for 'accomplice'. You talk to your friends on Facebook. You don't talk to your accomplice online, at all, unless you have to and then you do it securely.

But, to have an accomplice, you need to have done something. Then, had someone else give enough of a shit about it to have done it with you. Then, have it be big and complex enough to have actually needed to discuss it.

None of you motherfuckers do anything, ever, so we all know you got no accomplices and belong on Facebook with all the other bitch ass pussies that don't do shit.

>>51006

Your logic is faulty because you assume getting people off facebook to better alternatives isn't doing something meaningful in itself.

It's you who isn't getting anything accomplished. It's you who's whining here, telling No True Scotsman talks to accomplice online.

It's not like you can find accomplices online if you don't get close to them, and it's not like you can get close to anyone in monitored chats of Facebook.